Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-12-2023 16:33
Static task
static1
Behavioral task
behavioral1
Sample
f325ee7a242e62a3685763de8d71db15.dll
Resource
win7-20231215-en
General
-
Target
f325ee7a242e62a3685763de8d71db15.dll
-
Size
873KB
-
MD5
f325ee7a242e62a3685763de8d71db15
-
SHA1
3439a0a62364526a7bcecda134f532d20e578bc0
-
SHA256
064dd0fe494677278bb6d1bc0bc811f872b583604d27a81258023f7c695c0a20
-
SHA512
549c34b5e9f097b91c26c1bf37688eb60169cef025a0466212536446494cda53e4f08d626cdf6ec97c393f18b9119543d1064da7783390438f6519aea631ebb1
-
SSDEEP
24576:Zxru6GOISSgyFCsIysmcWy0WToFwYqOss:Zw6jsgyzGTQ
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1936-0-0x0000000140000000-0x00000001400E2000-memory.dmp dridex_ldr_dmod behavioral1/memory/1224-24-0x0000000140000000-0x00000001400E2000-memory.dmp dridex_ldr_dmod behavioral1/memory/1224-35-0x0000000140000000-0x00000001400E2000-memory.dmp dridex_ldr_dmod behavioral1/memory/1936-38-0x0000000140000000-0x00000001400E2000-memory.dmp dridex_ldr_dmod behavioral1/memory/1224-37-0x0000000140000000-0x00000001400E2000-memory.dmp dridex_ldr_dmod behavioral1/memory/472-53-0x0000000140000000-0x00000001400E3000-memory.dmp dridex_ldr_dmod behavioral1/memory/472-58-0x0000000140000000-0x00000001400E3000-memory.dmp dridex_ldr_dmod behavioral1/memory/1984-77-0x0000000140000000-0x00000001400E3000-memory.dmp dridex_ldr_dmod behavioral1/memory/2888-95-0x0000000140000000-0x00000001400E3000-memory.dmp dridex_ldr_dmod -
Processes:
resource yara_rule behavioral1/memory/1224-5-0x00000000025B0000-0x00000000025B1000-memory.dmp dridex_stager_shellcode -
Executes dropped EXE 3 IoCs
Processes:
WindowsAnytimeUpgradeResults.exeRDVGHelper.exePresentationSettings.exepid Process 472 WindowsAnytimeUpgradeResults.exe 1984 RDVGHelper.exe 2888 PresentationSettings.exe -
Loads dropped DLL 7 IoCs
Processes:
WindowsAnytimeUpgradeResults.exeRDVGHelper.exePresentationSettings.exepid Process 1224 472 WindowsAnytimeUpgradeResults.exe 1224 1984 RDVGHelper.exe 1224 2888 PresentationSettings.exe 1224 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\Z87ICQdtD\\RDVGHelper.exe" -
Processes:
rundll32.exeWindowsAnytimeUpgradeResults.exeRDVGHelper.exePresentationSettings.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WindowsAnytimeUpgradeResults.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RDVGHelper.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA PresentationSettings.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid Process 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
description pid Process procid_target PID 1224 wrote to memory of 576 1224 30 PID 1224 wrote to memory of 576 1224 30 PID 1224 wrote to memory of 576 1224 30 PID 1224 wrote to memory of 472 1224 31 PID 1224 wrote to memory of 472 1224 31 PID 1224 wrote to memory of 472 1224 31 PID 1224 wrote to memory of 1784 1224 32 PID 1224 wrote to memory of 1784 1224 32 PID 1224 wrote to memory of 1784 1224 32 PID 1224 wrote to memory of 1984 1224 33 PID 1224 wrote to memory of 1984 1224 33 PID 1224 wrote to memory of 1984 1224 33 PID 1224 wrote to memory of 1044 1224 34 PID 1224 wrote to memory of 1044 1224 34 PID 1224 wrote to memory of 1044 1224 34 PID 1224 wrote to memory of 2888 1224 35 PID 1224 wrote to memory of 2888 1224 35 PID 1224 wrote to memory of 2888 1224 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f325ee7a242e62a3685763de8d71db15.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1936
-
C:\Windows\system32\WindowsAnytimeUpgradeResults.exeC:\Windows\system32\WindowsAnytimeUpgradeResults.exe1⤵PID:576
-
C:\Users\Admin\AppData\Local\uh5D\WindowsAnytimeUpgradeResults.exeC:\Users\Admin\AppData\Local\uh5D\WindowsAnytimeUpgradeResults.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:472
-
C:\Windows\system32\RDVGHelper.exeC:\Windows\system32\RDVGHelper.exe1⤵PID:1784
-
C:\Users\Admin\AppData\Local\1eHhzG\RDVGHelper.exeC:\Users\Admin\AppData\Local\1eHhzG\RDVGHelper.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1984
-
C:\Windows\system32\PresentationSettings.exeC:\Windows\system32\PresentationSettings.exe1⤵PID:1044
-
C:\Users\Admin\AppData\Local\NpffJU\PresentationSettings.exeC:\Users\Admin\AppData\Local\NpffJU\PresentationSettings.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2888
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
875KB
MD5196598ff5ca15cf9e0707217dc6d7b29
SHA1b922c0ee6765e9ae8da0c2adfe77e0a750c59303
SHA256beb9ab605985ae7fd93625e8add4b495670c22ad1d82d7f0cc791e00e8bdb516
SHA512a97b2082adc8c2181a8493a9b63acf3967bfb7716f257185dfc187cc2fc1d725fe13b8341e33b28c13204cda06065332348816ffea6426273725772604e13c82
-
Filesize
877KB
MD57217453a9effb28e36dd6885c8352856
SHA15634b120fec22840c0839af617a9bf361753dd94
SHA25690484abccb733d75d4821fbfb338799d4edadfcff96dbe801b565afc4f3a3480
SHA512a5b9acf48b5f0378113cdec10d61773890f07bbb46bc01d789ca435319860354930f5779e70212cbfbe0b41c54f12f2964621ed6cbf9ae97859e76bf79100d62
-
Filesize
874KB
MD5caecc633f69c34100f93c328738c6eeb
SHA1b4fa93e24f142d98b17a852d78cc7dbe22f6c23c
SHA256797c1e567d949944e768e7fdf8ce146ba65ef18c0c07dd478864965a4a714549
SHA512926dc72d637aca0771c6f7ee42e025d6ac9a80530a4e03893f8ee0fbde3cd07d7ecccfcf28e67a8bcff1b15206a9056f30ef1820b933cb110458052d0d0851a3
-
Filesize
1KB
MD5fd8e6868846e14ed5d416aaf1b781911
SHA1c226e4a9fa0b1b94091f4984b6f7d9c8f82c1734
SHA256b80db88bac303296cb065106ca51e9a57aa282b2700995b5d83cc52c0451490f
SHA512eecbf5cada50937f88b6d9eacce5e90369ae50cf32204aa89d57febdd8128e079c4974fcb112cdde02504ab926adb901e5ef0243cbcfe3cb52385211c8b0ab9a
-
Filesize
93KB
MD553fda4af81e7c4895357a50e848b7cfe
SHA101fb2d0210f1c47aaf684e31a9fb78f89bba9c0f
SHA25662ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038
SHA512dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051
-
Filesize
172KB
MD5a6f8d318f6041334889481b472000081
SHA1b8cf08ec17b30c8811f2514246fcdff62731dd58
SHA256208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258
SHA51260f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69
-
Filesize
288KB
MD56f3f29905f0ec4ce22c1fd8acbf6c6de
SHA168bdfefe549dfa6262ad659f1578f3e87d862773
SHA256e9c4d718d09a28de8a99386b0dd65429f433837c712314e98ec4f01031af595b
SHA51216a9ad3183d7e11d9f0dd3c79363aa9a7af306f4f35a6f1e0cc1e175ef254e8052ec94dfd600dbe882f9ab41254d482cce9190ab7b0c005a34e46c66e8ff5f9e